topic CSS and IPSEC in the feature in Application Networking

CSS and IPSEC in the feature

Sbutzek — Thu, 07 Apr 2005 08:34:22 GMT

Hello,

is anything planned that the CSS will support IPSEC in Hardware?

I think this would only be possible with a new SCM Module. But i do not know if anything is planned out now.

Also i could not find any information, how much IPSEC Tracffic a CSS can handle in Software.

Any information about this would be great. Are we talking about MBit or KBit.

Or is the number of sessions the problem and not the bandwith?

Best Regards

Sven

Re: CSS and IPSEC in the feature

Gilles Dufour — Thu, 07 Apr 2005 08:47:49 GMT

Sven

the CSS does not support ipsec.

And will never support ipsec.

The CSS does SSL in hardware with the CSS5-SSL module.

The module allows you to encrypt/decrypt the SSL traffic.

Without the modulem we simply pass SSL traffic like any other TCP traffic.

So this traffic is handled in hardware.

We never decrypt/encrypt SSL in software.

Regards,

Gilles.

Re: CSS and IPSEC in the feature

Sbutzek — Thu, 07 Apr 2005 13:14:22 GMT

Hello Gilles,

thanks for your quick reply.

i think, you dit not understand what i mean.

The SSL Part i know.

But routing IPSEC protocoll over the css occurs in Software not in Hardware like IP traffic.

My question is, will there be a new generation of css, which changes this. So that IPSEC will be routet in hardware as IP traffic.

My other question was, how much traffic can be handeld via software. I have no idea if this is in the range of kbit/s or mbit/s or if the limit is the numer of sessions which can be establishd.

The CSM is not the coice for me, because it is not as config friendly as the CSS, also i need the Cat6500 as plattform.

Best Regards

Sven

Re: CSS and IPSEC in the feature

Gilles Dufour — Thu, 07 Apr 2005 13:47:39 GMT

Sven,

ok - I misunderstood.

IPSEC is routed because this is an unsupported protocol.

So we can't create a flow.

Flow is what we use to switch traffic in hardware.

The recommendation is to send this traffic around the CSS with policy routing.

It's difficult to say how much packet we can support.

The problem is the CPU and what it is doing.

If you have lot of keepalives, or L7 rules, or ... your number of packet/sec will be very limited.

If you really want to know how much we can do in software check the white paper for Layer7 performance [this is also done in hardware]

If this is a new design, you should really try to not send ipsec traffic through the CSS.

As I said before, we do not plan to support ipsec on the CSS.

Gilles.